Directory Services

Upgrading from OpenDS to OpenDJ

LudoLeave a comment

OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.

It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.

First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.

Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.

Go in the directory of the instance to upgrade:

cd /local/OpenDS2.2/

From that place, run the OpenDS 2.2 upgrade command :

./upgrade

The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key

The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip

And then continue with the Upgrade program.

Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.

If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.

And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency.  To do so, stop the upgraded server and run the rebuild-index command :

bin/rebuild-index <some options> -i dn2id -b "<suffix>"

If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.

Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.

Enjoy.

Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.

Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.

OpenDJ LDAP server for Snow Leopard Server and Unix

Ludo1 Comment

One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.

And what’s more natural to integrate a  Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.

Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!

Sun directory products documentation

LudoLeave a comment

Last week-end all Sun products documentation got moved from docs.sun.com to Oracle.com domain, with new IDs. So all URLs and bookmarks have been “lost in translation” !

On this blog, I had numerous references to Sun directory product documentations, pointing to specific commands or chapters for configuring and managing the service… All are now redirecting to the main Oracle’s documentation page. 😦

But I managed to find the place where the Sun Directory Server documentation is listed, from iPlanet Directory Server 4.11 to the latest Oracle Directory Server Enterprise Edition 11g : the Legacy Sun Identity Management Documentation. There are link for both the online and the PDF versions.

Here, you will also find access to the OpenSSO enterprise 8.0 documentation as well as Sun OpenDS one.

Pfew! I was afraid everything disappeared.

On a side note, classifying the so called “strategicOracle Directory Server Enterprise Edition 11g in the legacy products seems to say a lot about its future !

Directory Administrative Accounts – cont.

Ludo2 Comments

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Ludo6 Comments

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

OpenDJ 2.4.0 has been released

Ludo6 Comments

I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.

Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

Choosing OpenDJ as an enterprise directory service has the following benefits :

  • Lower the cost of ownership : Delivers more performance while consuming less resources (disks, memory and CPUs). Simplifies the administrative tasks by automating them.
  • Platform independence : Runs on any platform that supports Java 6, including virtualized environments.
  • High Availability : Supports deployment of multiple servers in a multi-master replication topology, providing failover and disaster recovery.
  • Secure data store : Supports different levels of authentication and authorization. Protects passwords through encryption and extensive policies.
  • Monitoring and Alerts : Can be monitored by 3rd party applications using SNMP and JMX. Supports custom alerts to inform of specific events in the service.
  • Interoperability : Supports all LDAPv3 standard specifications, most of LDAPv3 standard and experimental extensions as well as some vendor specific extensions, easing integration with applications.

After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.

OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.

Enjoy !

And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.

OpenDS and Sun JVM 1.6.0_21

LudoLeave a comment

Sun^H^H^HOracle released an update to the Java Platform Standard Edition last month : JDK 6 Update 21.

Last week, both on #opends IRC channel and the users mailing list, we started to get questions on how to enable replication between 2 instances of OpenDS, because dsreplication was producing the following error message : “There are no base DNs available to enable replication between the two servers”.

This was affecting the latest stable release of OpenDS (2.2.0) as well as the latest promoted-build and daily-builds.

After several exchanges and attempts to reproduce the problem, we found that the root cause was some changes in JDK 6 update 21, and more specifically in the parsing of the LDAP filters in JNDI. The new code has a stricter parsing and will mess with LDAP filters not surrounded by parentheses. ” cn=Foo” is according to RFC 4515 not a valid filter whereas “(cn=Foo)” is.

There was one occurrence of an invalid filter in OpenDS internals, exercised when enabling replication for the first time. We fixed the issue (#4575) yesterday and starting with today’s daily-build, you can use the latest version of the Java run-time with OpenDS.

We’re looking at providing an updated version of the 2.2 version to solve this issue as well as a few other important corrections. No ETA for this though.

Update:
OpenDJ, a fork of OpenDS, has a complete resolution for this issue. You can find more about OpenDJ on ForgeRock web site : http://forgerock.com/opendj.html

OpenDS 2.3.0-build003 is now available…

LudoLeave a comment

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build003, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build003 is built from revision 6502 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build003/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build003, including the detailed change log

Major changes since OpenDS 2.3.0 build002 include :

  • Provides support for the MS Permissive Modify control (#4238)
  • Adds support for multiple superior objectclasses in schema (#615)
  • Updated Berkeley DB Java Edition to version 4.0.103
  • Several enhancements and fixes in the External Changelog: Reliability in special cases like disabling replication domains, naming entries by ChangeNumber (Issue #4537), performance of searches with bounded filters (#4507), supporting operational attributes…
  • Resolves an issue (#4546) during shutdown that could cause deadlock in replication
  • Resolves an issue (#4554) on Windows with the Windows services
  • Some enhancements in the GUI look and feel and in 508 compliance
  • Resolves some issues (#4529, #3891, #3404, #3402) with specific replication conflict resolution
  • Improves the startup time of the server and detection of services tags
  • Resolves an issue (#4553) with the referential integrity plugin when several attributes are configured but only one is in a user entry
  • Fixes an issue (#4386) when adding an entry with duplicate values, resulting in a NPE
  • Fixes an issue (#4468) with the way values in filters and indexes are normalized
  • Resolves some performance issue (#4384) in replication monitoring
  • Improves reliability of replication initialization protocol (Issues #3395 #3998)
  • Resolves several issues (#3966, #4406, #4536 with clients tools and control panel when the server disconnect on error
  • Fixes some issues with MakeLDIF utility
  • Resolves a few issues (#4520) within Import
  • Improves the SSHA password storage scheme to be compatible with hashes from other servers (#4558)
  • Resolves an issue (#4232) with Windows specific LDIF files during Import
  • Adds an option to log replications CSNs in the Access Logs, like Sun Directory Server does
  • Resolves an issue (#4556) with the Password Modify extended operation when some validation must be skipped for administrators
  • Resolves an issue (#2748)with the order of message logged in the access logs
  • Resolves an issue where password policies subentries are not applied after replicated

Technorati Tags: , , , , , , ,

OpenDS 2.3.0-build002 is now available…

Ludo3 Comments

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build002, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build002 is built from revision 6400 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build002, including the detailed change log

Major changes since OpenDS 2.3.0 build001 include :

  • Multiple improvements on the Control Panel and the Setup
  • Multiple incremental improvements with the External Changelog, including reliability and performance (Issue #4478)
  • Upgraded the version of the Berkeley DB Java Edition to 4.0.95
  • Final fix for issue #4367, removing the need for BDB logging configuration via properties
  • Fixes some memory leaks with lots of connects and disconnects (Issue #4491)
  • Resolves a NPE when using Extensible Matching filters without matching rule OID (Issue #4385)
  • Fixes an issue (#4539) with the DSML gateway with JAXB and some Application Servers
  • Fixes an issue (#4492) in ACI where an NPE would occur when the base entry contains a single RDN component
  • Improves the reliability of the OpenDS Windows Services (Issues #4084 and #4381)
  • Resolves issue #4523 where ACI and sub-entry caches were not updated on replicas
  • Resolves issue #4538 where Virtual attributes would not be retrieved when the entry cache is configured
  • Fixes an issue with access controls that would give different results for cn=Directory Manager and plain user (Issue #4547)
  • Enhances the support and compliance of LDAP subentry, Collective attributes and Password Policy
  • Resolves several issues with Replication including Issues #4514, #4533 and #4534, and enhance the way Replication servers are electing servers they connect to (Issue #4343)
  • Renamed the extensions directory to “experimental”. The only experimental extension is the ArisID privacy control
  • Fixes several issues related to building OpenDS, especially on Windows.

Technorati Tags: , , , , , , ,

Subversion authorization through LDAP with OpenDS

Ludo1 Comment

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.

Update on March 18th.

Wooter has also posted a copy of the article on OpenDS documentation wiki.

I’ve also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.

Technorati Tags: , , , , , ,

OpenDS Tab Sweep

LudoLeave a comment

It’s been a while since I last posted an OpenDS tab sweep. So here’s a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

IconcurldapintegrationiConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

SOPERA ASF ToolSuite partial screenshot

Also in the recent days a couple of new LDAP browsers appeared.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: , , , , ,

Directory Service Performance Optimization Strategy: Data Priming

LudoLeave a comment

Directory servers usually run for long period of times and have stable performances as all caches are warmed by the traffic. But how to get optimum performances as fast as possible right after starting the server ? Brad Diggs has published Directory Data Priming Strategies, another blog post added to the series of articles on Sun (now Oracle) Directory Server Enterprise Edition 7, ZFS and Flash Technologies.

Technorati Tags: , , , ,

The basics of Flash Memory

LudoLeave a comment

These days, everybody get excited with Solid State Disks, flash memory and the performance improvements they have over other mass storage solutions.

Sun F20 Flash accelerator boardWe’ve been running some benchmarks of Sun Oracle Directory Server 7.0 leveraging new Sun flash based hardware modules. Before we go in details about their benefits, my colleague Brad Diggs posted a very educational article on the basics of Flash Memory to set a common understanding of the technology.

Read on and get ready for more data points on how ZFS and Flash Memory can improve Directory Server performances and scalability.

Technorati Tags: , , , ,

Oracle and Sun Directory Services…

Ludo1 Comment

Mark Wilcox, principal product manager for Oracle Virtual Directory has posted an initial update with regards to Oracle and Sun directory services.

Nothing really detailed so far, but it’s good place to post your comments on the Oracle + Sun Identity Management Strategy and more specifically regarding directory services.

To me and my coworkers, the most important messages are :

We are going to continue to offer both Oracle Internet DirectoryAND Sun Directory Server Enterprise Edition

and

OpenDS will remain an open-source project

Details are still being discussed and ironed out, but I hope to be able to share them soon. Stay tuned !

Technorati Tags: , , , , ,

Sun Directory compresses data for better performance !

Ludo3 Comments

Sun Directory Server Enterprise Edition 7.0 was released last November, and in the December timeframe Brad Diggs and Wajih Ahmed, both Principal Field Technologists and big experts in Directory Services, backed with engineers from the Directory engineering team and Mr Benchmark, put the product on the test bench to evaluate its performance and scalability with Sun new hardware and especially the new F-20 PCIe flash drives (see also what Mr Benchmark says about the F-20).

Brad’s first article describes how much Directory Server 7 entry compression rocks, "extending search performance by more than 50% through increased caching potential". Brad provides details of his findings and gives the commands to run to get the benefits of DSEE 7 in your deployment.

The entry compression feature is also available in the technology that will power future versions of Sun Directory Enterprise Edition: the OpenDS project. In OpenDS, there are 2 options to reduce the size of entries stored in the database. The first one is called entry compaction, and it’s enabled by default. The entry compaction feature removes all references to attribute names and replace them with small identifiers. The second option is actually entry compression which will use the popular ZLib algorithm. This option is not activated by default, but it’s just a command away :

<OPENDS_HOME>/bin/dsconfig -X -p 4444 -h localhost -D cn=Directory\ manager\
 -w password -n set-backend-prop \

 –backend-name userRoot –set entries-compressed:true

Below is the dsconfig usage for disabling entry compaction with OpenDS:

<OPENDS_HOME>/bin/dsconfig -X -p 4444 -h localhost -D cn=directory\ manager\
 -w password -n set-backend-prop \

 –backend-name backend –set compact-encoding:false

Here’s a table that compares the size of the databases of OpenDS 2.2.0 with no compat encoding, with it (default settings) and with compression enabled. The table compares the size of the entry record within the database as well as the overall size of the database which also includes indexes (default OpenDS settings).

Entry Count LDIF Entry Size Uncompacted Entry Size Compacted Entry Size Compressed Entry Size Uncompacted DB Size Compacted DB Size Compressed DB Size
100K 599 b 645 b 481 b 361 b 178.8 MB 163.20 MB 151.65 MB
-34% 25% -9.6% 7.1%
1M 603 b 649 b 485 b 364 b 1,515 MB 1,358 MB 1,243 MB
-34% 25% -11.5% 8.5%
10M 607 b 653 b 490 b 363 b 13,973 MB 12,416 MB 11,188 MB
-33% 26% -12.5% 9.9%


The percentages are computed from the reference value which is the default i.e. compacted. A negative value means an increased size, a positive one means a reduced size.

The second table compares the import times for the 3 different modes for storing entries, for the 3 sample data files.

Entry Count Uncompacted Compacted Compressed
100K 21 s 21 s 22 s
1.1% -3.5%
1M 106 s 107 s 112 s
0.5% -4.9%
10M 1006 s 1009 s 1101 s
0.2% -8.9%

Note: in this table, negative numbers represent increase in time required to import compared to the default settings.

Enabling compression does result in a smaller disk use with that sample data (fully random values), but does come with a performance penalty at least at import time, less than 10% but the penalty increases with the amount of entries.
If you’ve read Brad’s article on DSEE entry compression, you understand that the smaller the entries in the database, the more can be potentially cached in the Database Cache and the better the overall performances are. So if your entries are quite large, contain values that are strings, you should consider enabling the entry compression with OpenDS.

Changing from the default mode (compacted) to uncompacted mode does not give any real advantage in performance, but does increase the disk space usage, so I do not see the value of changing these settings in OpenDS.

Anyway, the benefits of having compact entries in the database are available today with Sun Directory Server Enterprise Edition 7 and Sun OpenDS Standard Edition 2.2, and are helping customers to reduce the overall cost of ownership of the directory services.

Technorati Tags: , , , ,